This document is a presentation on GDPR given at the University of Dundee. It provides an overview of key GDPR concepts such as personal data, processing, lawful bases for processing including consent, and the principles of accountability. It discusses how GDPR compliance applies even when personal data from EU citizens is processed outside the EU. Examples are given of how services like Padlet, Peerwise and Teammates can be used in education in a GDPR-compliant way. The presentation emphasizes obtaining consent, anonymizing or obscuring personal data, and having alternatives for students who do not wish to provide personal data.
1. #altc
What about GDPR?
Martin Hawksey
@mhawksey
Please feel free to share photos of slides. Various copyright licences are used in this presentation for both content and images. If an image on
a slide has no CC attribution assume it is a copyrighted source. This presentation is shared as CC-BY mhawksey.
Presented at: ELESIG Scotland,
University of Dundee
26 November 2018
Slides go.alt.ac.uk/elesig-gdpr
2. “
alt.ac.uk
Join and interact via zeetings.com
You can follow slides and take part in polls by
going to:
zeetings.com/mhawksey
Accessing this talk via zeetings.com is optional.
Slides also available from go.alt.ac.uk/elesig-gdpr
5. Nota Lawyer
Disclaimer: I’m not a lawyer, or data
protection expert and I’m only sharing
my interpretation of information I’ve
gathered for your consideration and
does not constitute as legal advice.
6. alt.ac.uk
How familiar are you with GDPR?
A. First time I’ve heard about GDPR
B. Aware of GDPR
C. Know a bit about GDPR and key
principles
D. Know a lot about GDPR and key
principles
7. alt.ac.uk
What level of support have you had?
A. No support at all
B. Self-directed study
C. Taken mandatory training provided by
my institution
D. Been provided guidance by my Data
Protection Officer and/or support staff
9. Data is the new nuclear
Data isn’t the new oil —
it’s the new nuclear power
James Bridle Image Copyright: Leonardo Santamaria
9/46
10. Image: CC-BY Selfdestination
https://flic.kr/p/gGZYKK
The General Data Protection
Regulation (GDPR) (EU) 2016/679
is a regulation in EU law on data
protection and privacy for all
individuals within the European
Union. It also addresses the
export of personal data outside
the EU. - Wikipedia
11. GDPR compliance isn’t just
required by EU based
organisations. Any ‘enterprise’
processing ‘personal data’ from
EU citizens needs to be GDPR
compliant or they can face
“penalties of up to 4% of
worldwide turnover or €20
million, whichever is higher”.
Image: CC-BY MoneyBlogNewz
https://flic.kr/p/9eXnSq
Non compliance penalties
14. Personal data means any
information relating to an
identified or identifiable natural
person (‘data subject’); an
identifiable natural person is
one who can be identified,
directly or indirectly - Article 4(1)
Personal Data
14/46
15. Personal data that has been
pseudonymised – eg key-coded –
can fall within the scope of the
GDPR depending on how difficult
it is to attribute the pseudonym
to a particular individual. – UK
ICO Key Definitions
Personal Data
15/46
16. 16
Image: CC-BY-SA Dennis van Zuijlekom
https://flic.kr/p/ApBi1X
Image: CC-BY-NC-ND Matthijs
https://flic.kr/p/89w39B
Access Erasure
18. Data Controller - A controller
determines the purposes and
means of processing personal
data. (e.g. your institution)
Data Processor - A processor is
responsible for processing
personal data on behalf of a
controller. (e.g. any 3rd party
your institution contracts that
can access personal data)
Data Controller/Processor
18/46
20. 'processing' means any operation or set of
operations which is performed on personal data or
on sets of personal data, whether or not by
automated means, such as collection, recording,
organisation, structuring, storage, adaptation or
alteration, retrieval, consultation, use,
disclosure by transmission, dissemination or
otherwise making available, alignment or
combination, restriction, erasure or destruction;
-Article 4(2)
Processing
20/46
21. ● Lawfulness, fairness and transparency
● Purpose limitation
● Data minimisation
● Accuracy
● Storage limitation
● Integrity and confidentiality (security)
● Accountability
GDPR Key Principles
21/46
34. “
alt.ac.uk
● Lawful basis: We’re using legitimate interests of the University in providing the service to its
staff and students as the lawful basis for processing personal data within the Media Hopper
Replay service. The Data protection Officer and lawyers were very clear that this is the
appropriate basis (and that the consent lawful basis would actually not be appropriate for a
number of reasons, including ensuring consent is freely given, given the power imbalance
between the University and either a member of staff or a student, and some of the implications
for implementing any withdrawal of consent once a recording has been made.
36. The processor shall not engage
another processor without prior
specific or general written
authorisation of the controller -
Article 28(2)
Processor
36/46
38. The following examples are provided by
Salman Usman (Academic E-learning
Developer) Kingston University London. You
are welcome to re-use/re-purpose these but
you will need to check with your Data
Protection Officer or equivalent first.
39. The personal data Padlet holds is staff account details for Padlet
and students placing their name or university ID in their Padlet
posts for the lecturer to identify them. In order to make the use
of Padlet mandatory for students and avoid the need for
students to sign a consent form, staff should undertake the
following measures:
● Staff should not use their KU email account and password
when creating an account with Padlet
● Password-protect the Padlet staff are using with their
students
● In their Padlet posts students should only include arbitrary
identifiers that are only known to the lecturer. Staff need to
store the mapping between student name/ university ID and
their identifier securely on university network drive.
Provided by: Salman Usman,Kingston University London
40. The personal data PeerWise holds is staff account details for
PeerWise and student identifier, username, password and email
address. In order to make the use of PeerWise mandatory for
students and avoid the need for students to sign a consent form,
staff should undertake the following measures:
● Although it is a requirement to provide KU email address, staff
should not use their KU email password when creating an
account with PeerWise
● Student identifiers provided to PeerWise should not be their
name, university ID or anything else that can identify them.
Instead, provide an arbitrary identifier for each student and
store the mapping of students’ university ID and their arbitrary
PeerWise identifiers securely on university network drive.
● Ask students that when setting up accounts, not to choose a
username that identifies them, not to use university password
for their PeerWise account password, and not to provide their
email address (which is optional anyway).
Provided by: Salman Usman,Kingston University London
41. The personal data that TEAMMATES holds is staff account details for
TEAMMATES, student KU email, feedback that students give to their peers and
receive from their lecturers and peers. In order to minimise risks associated
with using this tool, staff should undertake the following measures:
● The use of TEAMMATES should not be mandatory as it is not possible to
use it without providing students’ personal data.
● Staff and other members of teaching team should be made aware that
the tool is not supported by the university and that there may be risks
associated with handling of personal data. To this end, students need to
sign a consent form. Those students who wish to opt out should be
provided an alternative method to participate and it should not
disadvantage those that choose this method.
● Ensure that peer feedback is given anonymously to all group members (by
choosing appropriate settings)
● Staff should not use their KU email address and password when creating
Google account to use with TEAMMATES
● Delete all data after end of academic term
Provided by: Salman Usman,Kingston University London
43. alt.ac.ukPhoto by rawpixel on Unsplash
No data processing agreement...
● Supported alternatives
● Make optional
● Obscure identity
● Limit functionality